Patent Grant
9971912
A spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying the identifier and thereby gains unauthorized access to privileged resource. For example, an attacker can spoof email address belonging to a banking institution and trick the recipients into installing a rogue program. Similarly, an attacker can use DNS cache poisoning to redirect bank web site accesses to another server under control of the attacker. The attack server can capture user confidential information such as user name and passwords. These attacks are not specific to the Internet, but are found in all networks. These network systems must provide adequate protection against spoofing attacks and disclosure of confidential information.
The Management Component Transport Protocol (MCTP) is a protocol defined by the DMTF Platform Management Component Intercommunications sub-team of the DMTF Pre-OS Workgroup. MCTP is designed to support communications between different intelligent hardware components that make up a platform management subsystem that is provides monitoring and control functions inside a managed system. Various implementations of MCTP communication across a given medium are defined by companion transport binding specifications, such as, over PCIe and over SMBus/I2C. Since MCTP involves multiple entities communicating with each other, it is effectively a networked system. Therefore, MCTP needs to provide protections against spoofing and information disclosure in a manner that is a scalable hardware solution.
There are several manageability applications that require high bandwidth and low latency communication between various components. For example, media redirection and video redirection. Current solutions for the manageability applications include, a fast sideband bus likes RMII or an internal bus. Unfortunately, a dedicated sideband bus increases component costs due to more pins and limits motherboard placement options. Alternatively, internal busses limit mix and match and prevent Media redirection using a discrete LAN or discrete graphics component.
As previously discussed, present manageability applications require a fast sideband bus like RMII or an internal bus is used to meet these needs. Unfortunately, a dedicated sideband bus increases component costs due to more pins and limits motherboard placement options. Alternatively, internal busses limit mix and match and prevent Media redirection using a discrete LAN or discrete graphics component.
The Management Component Transport Protocol (MCTP) defines a communication model intended to facilitate communication between management controllers and other management controllers and between management controllers and management devices. This communication model includes a message format, transport description, message exchange patterns, and configuration and initialization messages. When MCTP is transported over PCI Express (MCTP over PCIe), it address the issues stated in the previous paragraph.
As previously discussed, a need exists to incorporate MCTP over companion transport binding specifications in a manner that increases security and is a scalable hardware solution.
The following description and embodiments allow for implementation in hardware in case some of the MCTP endpoints might not contain any firmware. Furthermore, the following descriptions and embodiments allow for a scalable solution for different market segments and are compatible with the existing MCTP standard.
In one embodiment, the claimed subject matter utilizes the PCI address BDF (Bus number, Device number, and Function number) for verification. In other embodiments, MCTP Endpoint ID (EID) can be used for verification. Under PCI and PCI Express architecture, each PCI Express endpoint is identified with a unique address that comprises of a PCI Bus number, PCI Device number and PCI Function number. These are referred to as the BDF. To further articulate and explain BDF, PCI/PCIe has the concept of PCI configuration Space. Each PCI express device contains number of registers that needs to be configured for the device to work. These registers are mapped in PCI configuration space. Individual devices are assigned a unique BDF. The host software can address each device separately using BDF. For example, bus 2, device 0, function 0 may be assigned to a NIC card and bus 3, device 0, function 0 may be assigned to the storage controller.
In one embodiment, MCTP endpoints may be designated into two classes, Privileged MCTP Endpoint (PME) and Service Provider MCTP Endpoint (SPME) for the purpose of discussing applications for security analysis. In one embodiment, the PMEs may be allowed to access privileged services (e.g. storage configuration) from Service Provider MCTP Endpoints (SPME) and are privy to sensitive (confidential) data. Some examples of PMEs could be a trusted embedded controller, such as a management engine (ME) in a client or ME/BMC in servers. In one embodiment, other manageability controllers may take the role of PME.
In contrast, SPMEs could be a Network Interface Card (NIC), graphics controller, a storage controller, a Central Processing Unit (CPU). In one embodiment, SPMEs that fulfill sensitive requests need assurance that the request is in fact coming from a PME and that confidential data sent back is not redirected to a rogue endpoint.
In one embodiment for a configuration, there is one or more Privileged MCTP Endpoints (PME) that is allowed to access the services from several Service Provider MCTP Endpoints (SPME). For example, BMC and a trusted embedded controller (ME for one embodiment) are the privileged entities that access services from Network and Storage Controllers via MCTP. Furthermore in some embodiments, a trusted embedded controller needs to access services from Network and Graphics Controllers. In addition, the privileged entities may sometimes play a role of service provider. For example, the trusted embedded controller may provide services to BMC in some configurations. Some of the services provided over MCTP may be benign (e.g. endpoint discovery), while some may be sensitive (e.g. read disk contents, capture screen etc.). The service provider that fulfils sensitive request needs an assurance that the request is in fact coming from PME.
In summary, the following embodiments utilize some or all of the following elements. In one embodiment, every SPME that provides security sensitive services maintains a Access Control List (ACL) consisting of PME PCI BDFs. SPME will compare the Requestor BDF field in MCTP packets against ACL, for every security sensitive service request.
Also, in one embodiment, each PCI Express Root Port and Switch Port in a processors and/or a chipset contain Address Validation Filter (AVF) logic that prevents rogue endpoints from spoofing PME BDFs. PCI Express Root ports and Switch Ports will compare the BDF fields in MCTP packets against this Address Validation List (AVL) for every request. In one embodiment, PCI Express Root Port and Switch Ports in a processors and/or a chipset also prevents traffic intended for PMEs from being redirected to rogue endpoints. Also, in another embodiment, a system on chip (SoC) implements the PCI Express Root Port and Switch Ports. Also, in one embodiment, the SoC supports external PCI Express slots or discrete devices.
In one embodiment, the ACL and AVL may be implemented in hardware registers that are programmable by a trusted embedded controller. In one embodiment, the trusted embedded controller is a management engine (ME).
In some embodiments, this solution can extended to handle cases where PME needs assurance that the response came from the intended SPME. This can be achieved by ensuring SPME PCI BDFs cannot be spoofed. This solution can also be extended to handle PMEs with various multiple privilege levels.
In one embodiment, the bus owner 102 may be a MCTP bus owner with a fixed PCIe address and is accessed via a route to root complex PCIe routing type.
Under MCTP architecture, the bus owner maintains the current MCTP EID to PCIe BDF number mapping. Also, endpoints can request Bus Owner to provide PCIe BDF for a given EID. Consequently, Endpoint can then use PCIe Bus/Device/Function number to communicate directly with the other Endpoint.
In this figure, a CPU root complex is connected to a PCH Root complex via a direct media interface (DMI) interconnect. However, the claimed subject matter is not limited to a DMI interconnect or CPU to PCH root complex combination.
Also, in one embodiment, all MCTP VDM traffic is directed through a PCIe Root port and/or Switch port before it reaches a peer endpoint. In one embodiment, the endpoints could be Network Interface Cards (NIC), Graphics controllers (GFX), Storage controllers, etc.
In one embodiment, each Endpoint and Port is accessible at its own Bus, Device, Function (BDF). Also, Bus Decoder Registers are present in PCIe Port including Root Ports and Host PnP Software allocates bus numbers to Endpoints by configuring these registers. These decoders control routing of MCTP VDMs.
For example, in one embodiment, the message flow 204 is a Broadcast from Root Complex are broadcast to all endpoints and are used by Bus Owner during MCTP discovery. In yet another example, the message flow 206 is a Route by ID and is directly routed to the destination (Peer to Peer, Peer to/from a trusted embedded controller, such as, a ME).
Also, in this same embodiment, the PCIe VDM header contains the MCTP transport header. In contrast, the PCIe VDM data contains the MCTP packet payload that comprises the message type, the MCTP message header and data (and could span multiple packets).
Also, in one embodiment, each PCI Express Root Port and Switch Ports in a processors and/or a chipset contain Address Validation Filter (AVF) logic that prevents rogue endpoints from spoofing PME BDFs. PCI Express Root ports and Switch Ports will compare the BDF fields in MCTP packets against this Address Validation List (AVL) for every request. AVF logic checks the PCI Requestor ID field (Bytes 4 and 5 in VDM header) on each upstream transaction against AVL to prevent rogue endpoints from spoofing PME BDF's. The Port shall inhibit the upstream MCTP transaction if the address is on the AVL. AVF logic checks the PCI Target ID field (Bytes 8 and 9 in VDM header) on each downstream transaction against AVL to prevent rogue endpoints from receiving traffic intended for PMEs. The Port shall inhibit the downstream MCTP transaction if the address is on the AVL.
In some embodiments, the silicon implementations of ACL and AVL may choose to perform partial decode i.e. decode bus number field alone in some market segments. Also, PCI Express Root Ports and Switch Ports can optionally log spoofing attempts in a register. All MCTP VDM traffic is directed through a PCIe Root port and Switch Ports before it reaches a peer endpoint.
In one embodiment, the ACL and AVL may be implemented in hardware registers. A trusted embedded controller, such as a ME in one embodiment, is responsible for determining PME list and programming ACL and AVL via a secure mechanism. The secure path can take various form
(a) point to point link, —Point to point links are not vulnerable to spoofing.
(b) links that are internal to the component—These are shielded from external accesses and thus provide necessary protection, For example, ME can use links internal to the chipset for securely communicating with devices and Root Ports and Switch Ports integrated in the South Bridge.
(c) Protected proprietary VDMs—These can be protected using proprietary logic in the PCIe Root ports. (d) MCTP VDMs originating from ME BDF—For this to work, the AVF will always block MCTP accesses originating from ME BDF. This will ensure that no external device can generate MCTP accesses with ME BDF.
ME can also examine unauthorized access attempts logged by Root Ports/Switch Ports/Endpoints and report those to higher level entity.
Specifically referring to
In one embodiment, the preceding description depicts the SPME maintaining an AVL and the root ports containing AVF to prevent rogue endpoints from spoofing PME Requestor IDs based on an AVL. Several implementations may be utilized for this claimed subject matter and are based at least in part on how dynamic features of the PME list. The following description describes three different implementations based on the type of PME list, such as, a static, boot time programmable, and runtime programmable.
In one embodiment, the PME list is a static PME list. For example, the ACL holds one requestor BDF, that for a trusted embedded controller, such as, a ME. As a result, the GFX controller will deny screen capture requests from other PCIe endpoints (bus 1 and bus 3). In one embodiment, a trusted embedded controller, such as, a ME is part of the PCI Express host bridge. Therefore, MCTP packets generated by ME will never pass through the PCIe Root Port in the upstream direction.
In another embodiment, the PME list is boot time programmable. For example, platforms that have more than one South Bridge and each South Bridge may have an instance of ME. The Requestor ID of the ME in secondary South Bridge will typically be programmable by BIOS at boot time. In such configuration, the PME lists will have to programmable. Primary ME can discover the presence of secondary ME, determine its bus number, lock the bus number and include that in ACL and AVLs.
To overcome the limitations of the prior art, the claimed subject matter prevents some operating systems from changing the bus number that is assigned to BMC using ACPI mechanisms. For example, BIOS can do that by declaring the root port upstream to BMC as a separate host bridge that has been allocated 1 bus. If the BMC bus number is pinned at boot time in this manner, ME can set up the PME list and thus ACLs/AVLs at boot time.
Since BMC's physical location and bus number may change from one platform to another, a trusted embedded controller, such as a ME, obtains this information from BMC. There are many ways to do this with varying degrees of complexity vs. security tradeoffs. In one current solution, the BMC is connected to ME via point to point SMBUS. BMC can use that point to point interface to communicate to ME which PCIe Root Port BMC is connected to. Alternately, BMC and ME can exchange this information over MCTP/PCIe securely using an encryption scheme. Since ME and BMC both contain firmware and enough MIPS, they will be able to encrypt the data inside this one packet every boot without much difficulty. Alternately, platform manufacturer can provide this information to ME via softstraps. Once ME knows the PCIe Root port that BMC is attached to, it can lock down the bus number fields in the root port to prevent malicious software from changing it. ME can then include BMC's BDS in AVL of all root ports, except the one above BMC. ME can also include BMC BDF in the various SPME ACLs. In some implementations, BMC can perform this activity as well.
The example shows the case where BMC is the privileged endpoint. NIC is the SPME. At the beginning of the flow, BMC's bus number is 3. For simplicity, the ACL and AVF logics only look at the bus number field and ignore device/function numbers. Initially, the SPME is configured to service requests for bus numbers 0 (ME) and 3. All root ports except the one upstream to BMC are configured to block MCTP requests with source bus numbers 0 or 3. Dotted transitions represent steps that are introduced by this invention. Unbroken transitions represent standard steps during MCTP bus renumbering flow. In one embodiment, the method described above is applicable to bus number assignment at boot time as well as during runtime (OS renumbering or hot plug).
According to PCIe specification, the bus number of a PCIe endpoint is changed when the device sees a type 0 PCI configuration write with a new bus number. In this case, the SW has chosen to change BMC's bus number to 4. From this point on, BMC is unable to access MCTP services from NIC since NIC doesn't entertain requests from bus number 4. According to MCTP specification, the endpoints notify the Bus Owner about bus number change via Discovery_Notify message. The Bus owner initiates the MCTP discovery process during which it reprograms certain MCTP parameters. Subsequently, BMC is able to generate MCTP messages with correct IDs. Once MCTP renumbering flow is complete, BMC notifies the trusted embedded controller, such as a ME, about the bus number change via s trusted path. As explained earlier, the trusted path can be a point to point interface or encrypted message over MCTP. ME proceeds to remove old BMC bus number from NIC ACL and reprograms AVLs in all root ports except the one above BMC. The old BMC bus number (3) in the AVL is replaced with the new bus number (4). From this point on, no endpoint besides BMC, can generate MCTP requests with bus number of 4. ME adds new BMC bus number to NIC ACL, thereby restoring BMC access to NIC MCTP services.
Embodiments may be implemented in code and may be stored on a storage medium having stored thereon instructions which can be used to program a system to perform the instructions. The storage medium may include, but is not limited to, any type of disk including floppy disks, optical disks, optical disks, solid state drives (SSDs), compact disk read-only memories (CD-ROMs), compact disk rewritables (CD-RWs), and magneto-optical disks, semiconductor devices such as read-only memories (ROMs), random access memories (RAMs) such as dynamic random access memories (DRAMs), static random access memories (SRAMs), erasable programmable read-only memories (EPROMs), flash memories, electrically erasable programmable read-only memories (EEPROMs), magnetic or optical cards, or any other type of media suitable for storing electronic instructions.
While the present invention has been described with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the true spirit and scope of this present invention.
This application is a continuation of application Ser. No. 12/806,643, filed Aug. 18, 2010, that is currently pending.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7454554 | Norrie et al. | Nov 2008 | B1 |
| 7650645 | Langendorf et al. | Jan 2010 | B1 |
| 7779245 | Bachmutsky et al. | Aug 2010 | B2 |
| 7779275 | Thornton et al. | Aug 2010 | B2 |
| 7886335 | Chickering et al. | Feb 2011 | B1 |
| 7971261 | Pestoni | Jun 2011 | B2 |
| 8103810 | Brown et al. | Jan 2012 | B2 |
| 8132226 | Bianco et al. | Mar 2012 | B1 |
| 8205240 | Ansari et al. | Jun 2012 | B2 |
| 8230149 | Long et al. | Jul 2012 | B1 |
| 8719843 | Tamir | May 2014 | B2 |
| 8930609 | Natu | Jan 2015 | B2 |
| 20060143716 | Ikemoto | Jun 2006 | A1 |
| 20060212606 | Arndt | Sep 2006 | A1 |
| 20080235363 | Shah et al. | Sep 2008 | A1 |
| 20080244598 | Tolopka | Oct 2008 | A1 |
| 20090083760 | Slight | Mar 2009 | A1 |
| 20090119743 | Werner | May 2009 | A1 |
| 20090307719 | Clark et al. | Dec 2009 | A1 |
| 20110246756 | Smith | Oct 2011 | A1 |
| 20130080673 | Feehrer | Mar 2013 | A1 |
| 20130346666 | Chang et al. | Dec 2013 | A1 |
| Number | Date | Country |
|---|---|---|
| WO-2012024055 | Feb 2012 | WO |
| Entry |
|---|
| “International Search Report and Written Opinion”, Received from PCT for Patent Application No. PCT/US2011/045029, dated Feb. 9, 2012, 9 pages. |
| “Management Component Transport Protocol (MCTP) Base Specification”, Version 1.1.0, Apr. 22, 2010, 82 pages. |
| “Management Component Transport Protocol (MCTP) Host Interface Specification”, Version 1.0.0, Dated Jul. 21, 2010, 19 pages. |
| “Management Component Transport Protocol (MCTP) PCIe VDM Transport Binding Specification”, DMTF Standard Specification, DSP0238, Version 1.0.1, Dec. 11, 2009, pp. 1-19. |
| “Management Component Transport Protocol (MCTP) Tom Slaight”, Dec. 3-6, 2007, Management Development Conference, 24 pages. |
| Taiwan Notice of Allowance for counterpart Application No. 100128181, dated Nov. 17, 2015, 3 pages. |
| European Patent Application No. 11818524.8, European Search Report, dated Aug. 7, 2017, 13 pgs. |
| Number | Date | Country | |
|---|---|---|---|
| 20150096051 A1 | Apr 2015 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 12806643 | Aug 2010 | US |
| Child | 14565833 | US |
